Monday, March 23, 2009

Anti-Virus Solutions: Are they still 'Anti'? or AV is dead?

As we have seen from the past year when it came out to the public, that all AV solutions are dead. It was a real public fear rather than just a marketing trend. Examining the available market solutions on the basis of practical testing reports given out by AV-Comparitives.org, give us a clear picture of what is still alive or dead in the area of statistical viruses. These tests are conducted on the ground of following areas:

However to remind that these tests are not limited and are extended with other considerable factors such as, retrospective detection rate (heuristics and signature based) and statistical analysis without user interaction. Looking into the latest February-2009 Report, following products were tested for speed and false alarm rates.

In the overall test evaluation provided in the report at:http://www.av-comparatives.org/images/stories/test/ondret/avc_report21.pdf

The test-bench given above is contructed and evaluated on the basis of two sets of tests described in the report itself. However, the most interesting factor to notice is "how many malware samples have been tested"? to detect the static (and partially dynamic) behavior of the next-generation badwares.

Today's highly motivated attackers are more diverted into changing the detectable signature to undetectable and transparent malwares. This can easily be accomplished by applying latest cryptors, protectors and/or packing techniques. Thus, it is still viable to consider these set of AV solutions for static virus detections rather than complex and polymorphic malwares.

Comparing the false alarm rate with the set of malware composition from Test-Bench "A"(April 2006-2008) and Test-Bench "B"(May 2008 - Feb 2009), following outcome has been highlighted:

As we can see, Microsoft won this round, but what could be the reason behind it. On further determination, it can be justifiable that Microsoft has a good stand of Win32 machine learning capabilities in-depth at user/kernel layer. On the other side, no matter whichever AV vendor is trying to protect "at best" their customers from rising malware threats, they have to eat the bitsand pieces under the table before coming into the market.